The Aggregation Model is Falling Short - Security Boulevard

The Aggregation Model is Falling Short

The following is an excerpt from our recent whitepaper, “Why Traditional Cybersecurity Tools Cannot Defend Against Zero-Day and No Signature Attacks,” in which we dive into how traditional cybersecurity tools work, why this fundamentally limits them from being able to detect zero-day or previously unknown attacks, why the industry standard for breach detection is around six to eight months and how modern, contextually-aware AI overcomes the limitations of traditional cybersecurity solutions.

The Aggregation Model is Falling Short

Here’s how traditional categories of NTA, SIEM, XDR and UEBA usually operate:

  1. Aggregate historical information about network behavior.
  2. Normalize it for search and investigation.
  3. Write corresponding rules to trigger responses from the cybersecurity product.
  4. Run queries on a limited data set to detect anomalous behavior based on the aggregated historical behavioral insights.

At first glance, this may seem like a comprehensive approach, and in a bubble where only expected behavior occurs within limited data sets, it could be. In the real world, behavior and associated data is constantly changing and what’s acceptable one day could be anomalous the next (or vice versa).

Even if a dedicated team were to constantly input new rules, they could never fully capture the realities of a living, breathing modern network that might include hundreds or even thousands of connected BYOD devices, IoT sensors, server banks, cloud depositories…the list just keeps growing.

Significant Detection Delays Lead to Significant Data Losses

Geoff Coulehan, Head of Strategic Alliances for MixMode, points to the significant delay in informative analysis as the heart of the problem when it comes to zero-day attacks, including no signature attacks. Real-time threat detection is woefully lacking for the vast majority of solutions available on the current market.

Rules-based systems are not only limited because it’s a constant battle to keep rules updated. Rules themselves are underpinned by a dependency on known behaviors and signature-based detections. 

“Aggregate and log information is alway out of date, and systems are exclusively looking for known signatures and behaviours,” Coulehan explains. “It begs the question: How then, even theoretically or conceptually, could one argue that these systems are effective in addressing zero-day attacks?”

Continue reading and download this whitepaper here:

Why Traditional Cybersecurity Tools Cannot Defend Against Zero-Day and No Signature Attacks

MixMode Articles You Might Like:

Log Data is Not Effective as a Foundation for Prevention, Detection, Remediation or Analytics

Why Traditional Cybersecurity Tools Cannot Defend Against Zero-Day and No Signature Attacks

How AI is Contributing to Global Warming and What it Can Learn from Bitcoin

Incremental Stacking of Correlative Analysis Platforms Will Ultimately Prove Ineffective and Costly

A Modern SOC Should Not Be Entirely Dependent On Human Operators and Their Personal Experience

Maximize ROI with Greater Efficacy Using Unsupervised AI

*** This is a Security Bloggers Network syndicated blog from MixMode authored by Christian Wiens. Read the original post at: https://mixmode.ai/blog/the-aggregation-model-is-falling-short/